Using the Built-in Frida¶

FIRERPA has the latest version of Frida built-in, so you don't need to start frida-server yourself. Our built-in Frida already includes various open-source anti-detection patches and our own additional hiding features, so you don't have to worry about Frida being detected. If our built-in Frida is detected, it means that almost all frida-server versions you can download will also be detected. So please use it with confidence; you don't need to worry about these miscellaneous details.

Hint

Starting from FIRERPA version 7.18, the built-in FRIDA requires a token parameter to connect. Of course, the client library has already handled everything for you. If you are using a version prior to 7.18, please refer to the [documentation for older versions](https://github.com/firerpa/lamda/tree/5.0#连接内置的-frida) for usage instructions.

Attention

Starting from version 9.0, our built-in Frida 17.x will require you to package `frida-java-bridge` into your scripts yourself. Otherwise, you will encounter errors like `Java not defined`. This is an official change from Frida. According to the official change notes, you need to create a new Node.js project and include the Java bridge. For details, please refer to https://github.com/oleavr/frida-agent-example or use our provided `tools/frida_script_generate.py` to re-package your original JS scripts.

Using via Code¶

With the FIRERPA client API, you can simply use d.frida as shown below to get an instance connected to the frida-server, without needing to construct the connection yourself using the Frida library.

conn = d.frida
conn.enumerate_processes()

Of course, if you want to understand the underlying implementation, you can refer to the following code.

# Get the dynamic token
token = d._get_session_token()

manager = frida.get_device_manager()
conn = manager.add_remote_device("192.168.0.2:65000", token=token)
conn.enumerate_processes()

The rest is up to you. You have now successfully obtained the instance.

Using via Command Line¶

Using it via the command line might be slightly more complex because we also need to ensure the security of your device. We also want to remind you not to be limited by the commands found in other articles. You need to be aware that many articles show Frida commands with a -U parameter. We don't use it here, so if you can't connect, make sure your command strictly follows the examples.

Before we begin, we highly recommend using commands like frida, frida-itrace, frida-trace, and frida-ps through the remote desktop. In that environment, you don't need to do anything extra; you can just execute frida without providing any other connection parameters like -U or -H.

Frida

Since you're reading this far, it means you still want to use the command from your computer. Now, you need to gather some information based on your setup. If your FIRERPA was started with a service certificate, you'll need to have that file ready. Additionally, you need the IP address of the device you want to connect to and the FIRERPA service port (default is 65000). Note that this is not Frida's 27042 port, but the FIRERPA service port. You only need to connect to FIRERPA.

First, you need to use the API to get the current token. This token is a fixed 16-character string, like czvpyqg82dk0xrnj. We understand this method might be a bit cumbersome and may make some usability improvements later. This is also why we recommended using Frida commands on the remote desktop earlier.

token = d._get_session_token()
print (token)

Now that you have obtained a token from the API above, let's assume it is czvpyqg82dk0xrnj. We can now start writing the Frida command. For all official Frida command-line tools, you just need to add the parameters -H 192.168.0.2:65000 and --token xxxxxxxxxxxxxxxx. For example, like this: Please pay very, very, very close attention that there is no -U parameter here.

frida -H 192.168.0.2:65000 -f com.android.settings --token xxxxxxxxxxxxxxxx

If your FIRERPA server was started with a service certificate, you also need to add the --certificate parameter to the command.

frida -H 192.168.0.2:65000 -f com.android.settings --certificate /path/to/lamda.pem --token xxxxxxxxxxxxxxxx

You may have noticed there are three differences: -U is replaced with -H because we need to connect over the network instead of USB; the --token parameter is added; and if the server uses a service certificate, the --certificate parameter is also added. This is to ensure the security of your device and prevent unauthorized access.

Using via Command Line (objection)¶

For other tools like objection, similar parameters are usually available. However, most non-standard tools do not fully implement these parameters. Currently, we have only patched objection. This patch does not affect its original usage. However, since objection has not been updated for a long time, we are not pushing the changes upstream. You can download our provided objection-1.11.0-command-patch.diff and apply this patch to your installed objection code directory (you can find the installation path with the pip3 show objection command).

After that, you can use it as follows. You'll see that only a --token parameter has been added.

objection -N -h 192.168.0.2 -p 65000 --token xxxxxxxxxxxxxxxx explore

Alternatively, if the server was started with a service certificate, you also need to add --certificate to the command.

objection -N -h 192.168.0.2 -p 65000 --certificate /path/to/lamda.pem --token xxxxxxxxxxxxxxxx explore

Exposing Application Interfaces¶

This section has been moved to the Using Frida to Export Interfaces chapter.